75 lines
3.8 KiB
Plaintext
75 lines
3.8 KiB
Plaintext
# log-noise.patterns - Daily Operations Report
|
|
#
|
|
# Format:
|
|
# - One Extended Regex (ERE) per non-comment line.
|
|
# - Lines starting with '#' (after optional whitespace) are comments.
|
|
# - Empty / whitespace-only lines are ignored.
|
|
# - Patterns are applied case-insensitively (grep -Eaif).
|
|
# - The file is normalized via lib/normalize-noise-patterns.sh before use.
|
|
#
|
|
# Per pattern, document:
|
|
# - Why this is noise (root cause, not just "expected").
|
|
# - When to re-check / what would invalidate the assumption.
|
|
#
|
|
# Adding a new pattern: prefer the narrowest container.* prefix and the
|
|
# narrowest message anchor. A pattern that matches across containers or
|
|
# matches generic error strings will hide real signal.
|
|
#
|
|
# Removing a pattern: replace with a fresh attention example in the next
|
|
# daily report and consult before reintroducing.
|
|
#
|
|
# Last reviewed: 2026-05-21
|
|
|
|
# Loki internal query cancellations / scheduler chatter.
|
|
# Why: Loki cancels internal queries continuously when downstream Promtails
|
|
# or Grafana panels drop connections; no user-visible outage by itself.
|
|
# Re-check: if Grafana dashboards show real Loki query failures or if
|
|
# Prometheus alerts fire on Loki ingestion / availability.
|
|
monitoring-loki.*(context canceled|error notifying scheduler|closing iterator)
|
|
|
|
# node-exporter parsing /host/proc/mdstat on Unraid.
|
|
# Why: Unraid uses its own array driver, not Linux mdadm, so /proc/mdstat
|
|
# layout is unparsable for node-exporter. Pure collector noise.
|
|
# Re-check: only if migrating to mdadm-based RAID. Then remove this entry
|
|
# and act on real mdadm errors.
|
|
monitoring-node-exporter.*mdadm.*Cannot parse /host/proc/mdstat
|
|
|
|
# Gitea OpenID login attempts return 403.
|
|
# Why: OpenID provider is intentionally disabled in Gitea config; 403 is
|
|
# the expected response for stale OAuth callback URLs.
|
|
# Re-check: when OpenID/OIDC gets enabled again. Remove this and treat
|
|
# the 403 as a real auth failure signal.
|
|
gitea.*user/login/openid.*403 Forbidden
|
|
|
|
# Tailscale PCP port mapping failure (NAT-PMP unsupported by router).
|
|
# Why: Tailscale falls back to STUN/DERP transparently; no functional impact.
|
|
# Re-check: if Tailscale reports persistent connectivity problems in real
|
|
# usage, or if a router change adds NAT-PMP support.
|
|
Tailscale-Docker.*failed to get PCP mapping
|
|
|
|
# Immich version check failed to reach GitHub releases API.
|
|
# Why: External GitHub release check; transient failures do not affect
|
|
# Immich core functionality.
|
|
# Re-check: if Immich UI persistently warns about being outdated or if
|
|
# security updates are missed because of this.
|
|
immich_server.*Failed to fetch latest release
|
|
|
|
# Authelia 408 client-side request timeouts.
|
|
# Why: Clients (browsers, Vaultwarden-CLI etc.) drop slow connections;
|
|
# without correlated login failures or 5xx, individual 408s are normal.
|
|
# Re-check: if 408-rate spikes (>5/min sustained) or if login flows complain.
|
|
# Then narrow this pattern instead of removing.
|
|
authelia.*Request timeout occurred.*status_code=408
|
|
|
|
# Vaultwarden expired sessions and invalid refresh tokens (auth/session class).
|
|
# Why: Normal session expiry; clients retry and re-login transparently.
|
|
# Re-check: if many distinct external IPs trigger 401s in a short window
|
|
# (possible brute-force or credential-stuffing pattern).
|
|
#
|
|
# NOTE: DNS / Connect / Resolve / reqwest / hyper-client errors are
|
|
# intentionally NOT suppressed here. They are real network signals
|
|
# and should be visible in the attention list. If push-notification
|
|
# noise becomes overwhelming, add a *narrow* pattern restricted to
|
|
# push contexts only (e.g. `vaultwarden.*push.*(ResolveError|...)`).
|
|
vaultwarden.*(Token has expired|Invalid refresh token|Failed to decode.*refresh_token|POST /identity/connect/token => 401 Unauthorized)
|